lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 17 Feb 2010 03:46:13 -0500
From: "Amit Klein" <amit.klein@...steer.com>
To: <bugtraq@...urityfocus.com>
Subject: RE: Trusteer Rapport Security Circumvention

Hello BugTraq

Andrew Barkley of Computer Sciences Corporation contacted us with this
around the same time it was posted to BugTraq. Since then we've fixed
the issue and are now completing the QA cycle with the intention of
releasing this fix 12 hours after learning about the problem. 

Best,
-Amit
Amit Klein, CTO, Trusteer


> -----Original Message-----
> From: barkley@....net [mailto:barkley@....net] 
> Sent: Tuesday, February 16, 2010 12:58
> To: bugtraq@...urityfocus.com
> Subject: Trusteer Rapport Security Circumvention
> 
> Hi,
> 
> 
> Trusteer is an innovative software to combat fraud, thus it's 
> global uptake in the financial sector. Trusteer also seems 
> quite adamant that their software is bullet-proof, their 
> website pretty much sums it up. However, on having a closer 
> look and some tinkering, I discovered a complete no brainer 
> vector for circumventing Trusteer's security. I've tested 
> this on various XP platforms successfuly, please feel free to 
> notify the vendor as you wish and/or to publish whatever you 
> feel appropriate under the circumstances.
> 
> 
> http://www.trusteer.com/solutions
> http://www.trusteer.com/product-0
> http://www.trusteer.com/product/technology
> Trusteer Rapport locks down your browser once you connect to 
> a sensitive website such as your bank. Any malicious software 
> that tries to ride on the browser is left out of the locked 
> down browser, and cannot access  your sensitive information 
> and transactions. Rapport also locks down communication 
> between your browser and the bank, preventing any 
> network-based attack from diverting traffic to fraudulent locations.
> 
> 
> The following illustrates how malware on entering a system by 
> whichever means, and on detecting Trusteer's services, can 
> easily (automated/scripted) disable Trusteer's security for 
> whatever malevolent purposes.
> 
> 
> Step-by-step illustration, how to easily circumvent 
> Trusteer's security.
> 
> Firstly, disable Trusteer's service (RapportMgmtService.exe) 
> in your active Hardware Profile. Trusteer doesn't protect 
> this option, thus this is a good starting point for now.
> i.e.
> [HKEY_CURRENT_CONFIG\System\CurrentControlSet\Enum\ROOT\LEGACY
_RAPPORTMGMTSERVICE\0000]
> "CSConfigFlags"=dword:00000001
> 
> NOTE: This in fact disables Trusteer's service 
> (RapportMgmtService.exe) in the Services.msc GUI i.e.
> Services.msc > "Rapport Management Service" > "Log On" > 
> "Hardware Profile" > "Disabled"
> 
> 
> On the very next reboot, at least one reboot is required to 
> disable the kernel driver (RapportPG.sys), Trusteer's service 
> (RapportMgmtService.exe) should now be inactive/disabled, and 
> thus you'll be able to rename Trusteer's now unprotected folders.
> i.e. Command Prompt
> C:\> cd \"Program Files"
> C:\> rename Trusteer TrusBeer
> 
> NOTE: At this point the web browser's not protected by 
> Trusteer, nor is Trusteer's software & system settings 
> protected, thus pretty much open to your imagination.
> 
> 
> The following step is not required, especially seeing as 
> Trusteer's service (RapportMgmtService.exe) was disabled 
> previously in the active Hardware Profile. However, should 
> you also wish to reconfigure Trusteer's now unprotected 
> drivers & services to start manually, or even disable/delete 
> completely, you may or may not have to reboot one more time, 
> as the following step may need another reboot to take 
> advantage of the previously now renamed unprotected folders 
> in the previous step.
> i.e. Command Prompt
> C:\> sc config RapportMgmtService start= demand C:\> sc 
> config RapportPG start= demand
> 
> 
> Should you wish to cover your tracks (you'll also have to 
> clear event logs), rename Trusteer's home folder back to the 
> original and restore the Hardware Profile registry entry.
> i.e.
> [HKEY_CURRENT_CONFIG\System\CurrentControlSet\Enum\ROOT\LEGACY
_RAPPORTMGMTSERVICE\0000]
> "CSConfigFlags"=dword:00000000
> 
> i.e. Command Prompt
> C:\> cd \"Program Files"
> C:\> rename TrusBeer Trusteer
> 
> 
> Cheers
> 
> Andrew Barkley
> (-_-)
> 

Powered by blists - more mailing lists